In the ongoing cat-and-mouse game of securing IT software and hardware, vendors are sharply split on the wisdom of paying third-party researchers to bring vulnerabilities to their attention. For some, like Mozilla and HP, paying those fees is just part of doing business. For others, the practice is strictly off limits.
Everyone seems to agree that working with the research community is critical, so what makes the difference? Reporting from the Black Hat security conference, Datamation canvasses security executives at several major IT firms on their approach toward paying researchers for vulnerabilities.
There is an ongoing debate in the IT security community about whether or not it makes sense for software and hardware vendors to pay researchers for finding vulnerabilities. For some vendors like Mozilla and HP (NYSE:HPQ), rewarding researchers is a part of their security model. On the other hand, Microsoft has steadfastly kept to a policy of not paying those who uncover security holes. Networking giant Cisco (NASDAQ:CSCO) has more of a bartering system for rewarding researchers.
The different approaches help to illustrate how each vendor prefers to deal with the security research community. The bottom line though is that vendors all want to be informed of when their software is vulnerable; the only issue is how they work with researchers to actually get that information.